Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds mike.reid to the list of superadmin_users. #287

Merged
merged 1 commit into from
Dec 27, 2023
Merged

Adds mike.reid to the list of superadmin_users. #287

merged 1 commit into from
Dec 27, 2023

Conversation

mikereiddigital
Copy link
Contributor

As per title, this adds the user mike.reid to the superadmin_users list.

@mikereiddigital mikereiddigital requested a review from a team as a code owner December 27, 2023 15:28
@github-actions GitHub Actions
Copy link
Contributor

TFSEC Scan Failed

Show Output 
*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Results #1-2 HIGH IAM policy document uses wildcarded action 'iam:ChangePassword' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.5.7/modules/iam-group-with-policies/policies.tf:18-40
   via main.tf:75-98 (module.iam_group_admins_with_policies)
────────────────────────────────────────────────────────────────────────────────
   12    data "aws_iam_policy_document" "iam_self_management" {
   ..  
   18actions = [
   19"iam:ChangePassword",
   20"iam:CreateAccessKey",
   21"iam:CreateLoginProfile",
   22"iam:CreateVirtualMFADevice",
   23"iam:DeleteAccessKey",
   24"iam:DeleteLoginProfile",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.5.7/modules/iam-group-with-policies/policies.tf:75-98 (module.iam_group_admins_with_policies) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #3-4 HIGH IAM policy document uses wildcarded action 'iam:Get*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.5.7/modules/iam-group-with-policies/policies.tf:53-56
   via main.tf:75-98 (module.iam_group_admins_with_policies)
────────────────────────────────────────────────────────────────────────────────
   12    data "aws_iam_policy_document" "iam_self_management" {
   ..  
   53  ┌     actions = [
   54"iam:Get*",
   55"iam:List*",
   56  └     ]
   ..  
   91    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.5.7/modules/iam-group-with-policies/policies.tf:75-98 (module.iam_group_admins_with_policies) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #5 HIGH IAM policy document uses sensitive action 'iam:Get*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.5.7/modules/iam-group-with-policies/policies.tf:58
   via main.tf:75-98 (module.iam_group_admins_with_policies)
────────────────────────────────────────────────────────────────────────────────
   12    data "aws_iam_policy_document" "iam_self_management" {
   ..  
   58  [     resources = ["*"]
   ..  
   91    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #6 HIGH IAM policy document uses sensitive action 'iam:ChangePassword' on wildcarded resource 'arn:aws:iam::*:user/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:154
────────────────────────────────────────────────────────────────────────────────
  134    data "aws_iam_policy_document" "force_mfa" {
  ...  
  154  [     resources = ["arn:aws:iam::*:user/$${aws:username}"]
  ...  
  241    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #7 HIGH IAM policy document uses sensitive action 'iam:CreateAccessKey' on wildcarded resource 'arn:aws:iam::*:user/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:165
────────────────────────────────────────────────────────────────────────────────
  134    data "aws_iam_policy_document" "force_mfa" {
  ...  
  165  [     resources = ["arn:aws:iam::*:user/$${aws:username}"]
  ...  
  241    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #8 HIGH IAM policy document uses sensitive action 'iam:DeleteSigningCertificate' on wildcarded resource 'arn:aws:iam::*:user/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:176
────────────────────────────────────────────────────────────────────────────────
  134    data "aws_iam_policy_document" "force_mfa" {
  ...  
  176  [     resources = ["arn:aws:iam::*:user/$${aws:username}"]
  ...  
  241    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #9 HIGH IAM policy document uses sensitive action 'iam:DeleteSSHPublicKey' on wildcarded resource 'arn:aws:iam::*:user/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:188
────────────────────────────────────────────────────────────────────────────────
  134    data "aws_iam_policy_document" "force_mfa" {
  ...  
  188  [     resources = ["arn:aws:iam::*:user/$${aws:username}"]
  ...  
  241    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #10 HIGH IAM policy document uses sensitive action 'iam:CreateServiceSpecificCredential' on wildcarded resource 'arn:aws:iam::*:user/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:200
────────────────────────────────────────────────────────────────────────────────
  134    data "aws_iam_policy_document" "force_mfa" {
  ...  
  200  [     resources = ["arn:aws:iam::*:user/$${aws:username}"]
  ...  
  241    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #11 HIGH IAM policy document uses sensitive action 'iam:CreateVirtualMFADevice' on wildcarded resource 'arn:aws:iam::*:mfa/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:209
────────────────────────────────────────────────────────────────────────────────
  134    data "aws_iam_policy_document" "force_mfa" {
  ...  
  209  [     resources = ["arn:aws:iam::*:mfa/$${aws:username}"]
  ...  
  241    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #12 HIGH IAM policy document uses sensitive action 'iam:DeactivateMFADevice' on wildcarded resource 'arn:aws:iam::*:user/${aws:username}' 
────────────────────────────────────────────────────────────────────────────────
  main.tf:220
────────────────────────────────────────────────────────────────────────────────
  134    data "aws_iam_policy_document" "force_mfa" {
  ...  
  220  [     resources = ["arn:aws:iam::*:user/$${aws:username}"]
  ...  
  241    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #13 MEDIUM Multi-Factor authentication is not enforced for group 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.5.7/modules/iam-group-with-policies/main.tf:5-9
   via main.tf:75-98 (module.iam_group_admins_with_policies)
────────────────────────────────────────────────────────────────────────────────
    5    resource "aws_iam_group" "this" {
    6      count = var.create_group ? 1 : 0
    7    
    8      name = var.name
    9    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-enforce-group-mfa
      Impact IAM groups are more vulnerable to compromise without multi factor authentication activated
  Resolution Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/enforce-group-mfa/
  - https://registry.terraform.io/modules/terraform-module/enforce-mfa/aws/latest
  - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.435114ms
  parsing              13.136626954s
  adaptation           784.051µs
  checks               11.296789ms
  total                13.150142908s

  counts
  ──────────────────────────────────────────
  modules downloaded   15
  modules processed    16
  blocks processed     627
  files read           65

  results
  ──────────────────────────────────────────
  passed               68
  ignored              0
  critical             0
  high                 12
  medium               1
  low                  0

  68 passed, 13 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2023-12-27 15:30:45,997 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-account:~> 5.2 (for external modules, the --download-external-modules flag is required)
2023-12-27 15:30:45,997 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-roles:~> 5.5 (for external modules, the --download-external-modules flag is required)
2023-12-27 15:30:45,998 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-group-with-policies:~> 5.5 (for external modules, the --download-external-modules flag is required)
2023-12-27 15:30:45,998 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:~> 5.5 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 22, Failed checks: 15, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_account
	File: /main.tf:23-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "iam_account" {
		24 |   source        = "terraform-aws-modules/iam/aws//modules/iam-account"
		25 |   version       = "~> 5.2"
		26 |   account_alias = var.account_alias
		27 | 
		28 |   # We create the password policy as part of `modernisation-platform-terraform-baselines` so
		29 |   # we don't need to do it here as well
		30 |   create_account_password_policy = false
		31 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_assumable_roles
	File: /main.tf:46-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		46 | module "iam_assumable_roles" {
		47 |   source               = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles"
		48 |   version              = "~> 5.5"
		49 |   max_session_duration = 43200
		50 | 
		51 |   # Admin role
		52 |   create_admin_role       = true
		53 |   admin_role_name         = "superadmin"
		54 |   admin_role_requires_mfa = true
		55 | 
		56 |   # Poweruser role
		57 |   create_poweruser_role       = true
		58 |   poweruser_role_name         = "developer"
		59 |   poweruser_role_requires_mfa = true
		60 | 
		61 |   # Read-only role
		62 |   create_readonly_role       = true
		63 |   readonly_role_name         = "readonly"
		64 |   readonly_role_requires_mfa = true
		65 | 
		66 |   # Allow created users to assume these roles
		67 |   trusted_role_arns = [
		68 |     for user in module.iam_user : user.iam_user_arn
		69 |   ]
		70 | 
		71 |   depends_on = [time_sleep.wait_30_seconds]
		72 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_group_admins_with_policies
	File: /main.tf:75-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		75 | module "iam_group_admins_with_policies" {
		76 |   source  = "terraform-aws-modules/iam/aws//modules/iam-group-with-policies"
		77 |   version = "~> 5.5"
		78 |   name    = "superadmins"
		79 | 
		80 |   group_users = [
		81 |     for user in module.iam_user : user.iam_user_name
		82 |   ]
		83 | 
		84 |   custom_group_policy_arns = [
		85 |     "arn:aws:iam::aws:policy/ReadOnlyAccess",
		86 |   ]
		87 | 
		88 |   custom_group_policies = [
		89 |     {
		90 |       name   = "ForceMFA"
		91 |       policy = data.aws_iam_policy_document.force_mfa.json
		92 |     },
		93 |     {
		94 |       name   = "AssumeRole"
		95 |       policy = data.aws_iam_policy_document.assume_role.json
		96 |     }
		97 |   ]
		98 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_user["aaron.robinson"]
	File: /main.tf:101-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		101 | module "iam_user" {
		102 |   for_each              = local.superadmin_users
		103 |   source                = "terraform-aws-modules/iam/aws//modules/iam-user"
		104 |   version               = "~> 5.5"
		105 |   name                  = "${each.key}-superadmin"
		106 |   force_destroy         = true
		107 |   pgp_key               = each.value
		108 |   create_iam_access_key = false
		109 | 
		110 |   # The following is dependent on whether a PGP key has been set
		111 |   create_iam_user_login_profile = length(each.value) > 0 ? true : false
		112 |   password_reset_required       = length(each.value) < 0 ? true : false
		113 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_user["david.elliott"]
	File: /main.tf:101-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		101 | module "iam_user" {
		102 |   for_each              = local.superadmin_users
		103 |   source                = "terraform-aws-modules/iam/aws//modules/iam-user"
		104 |   version               = "~> 5.5"
		105 |   name                  = "${each.key}-superadmin"
		106 |   force_destroy         = true
		107 |   pgp_key               = each.value
		108 |   create_iam_access_key = false
		109 | 
		110 |   # The following is dependent on whether a PGP key has been set
		111 |   create_iam_user_login_profile = length(each.value) > 0 ? true : false
		112 |   password_reset_required       = length(each.value) < 0 ? true : false
		113 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_user["david.sibley"]
	File: /main.tf:101-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		101 | module "iam_user" {
		102 |   for_each              = local.superadmin_users
		103 |   source                = "terraform-aws-modules/iam/aws//modules/iam-user"
		104 |   version               = "~> 5.5"
		105 |   name                  = "${each.key}-superadmin"
		106 |   force_destroy         = true
		107 |   pgp_key               = each.value
		108 |   create_iam_access_key = false
		109 | 
		110 |   # The following is dependent on whether a PGP key has been set
		111 |   create_iam_user_login_profile = length(each.value) > 0 ? true : false
		112 |   password_reset_required       = length(each.value) < 0 ? true : false
		113 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_user["edward.proctor"]
	File: /main.tf:101-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		101 | module "iam_user" {
		102 |   for_each              = local.superadmin_users
		103 |   source                = "terraform-aws-modules/iam/aws//modules/iam-user"
		104 |   version               = "~> 5.5"
		105 |   name                  = "${each.key}-superadmin"
		106 |   force_destroy         = true
		107 |   pgp_key               = each.value
		108 |   create_iam_access_key = false
		109 | 
		110 |   # The following is dependent on whether a PGP key has been set
		111 |   create_iam_user_login_profile = length(each.value) > 0 ? true : false
		112 |   password_reset_required       = length(each.value) < 0 ? true : false
		113 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_user["ewa.stempel"]
	File: /main.tf:101-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		101 | module "iam_user" {
		102 |   for_each              = local.superadmin_users
		103 |   source                = "terraform-aws-modules/iam/aws//modules/iam-user"
		104 |   version               = "~> 5.5"
		105 |   name                  = "${each.key}-superadmin"
		106 |   force_destroy         = true
		107 |   pgp_key               = each.value
		108 |   create_iam_access_key = false
		109 | 
		110 |   # The following is dependent on whether a PGP key has been set
		111 |   create_iam_user_login_profile = length(each.value) > 0 ? true : false
		112 |   password_reset_required       = length(each.value) < 0 ? true : false
		113 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_user["jake.mulley"]
	File: /main.tf:101-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		101 | module "iam_user" {
		102 |   for_each              = local.superadmin_users
		103 |   source                = "terraform-aws-modules/iam/aws//modules/iam-user"
		104 |   version               = "~> 5.5"
		105 |   name                  = "${each.key}-superadmin"
		106 |   force_destroy         = true
		107 |   pgp_key               = each.value
		108 |   create_iam_access_key = false
		109 | 
		110 |   # The following is dependent on whether a PGP key has been set
		111 |   create_iam_user_login_profile = length(each.value) > 0 ? true : false
		112 |   password_reset_required       = length(each.value) < 0 ? true : false
		113 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_user["khatra.farah"]
	File: /main.tf:101-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		101 | module "iam_user" {
		102 |   for_each              = local.superadmin_users
		103 |   source                = "terraform-aws-modules/iam/aws//modules/iam-user"
		104 |   version               = "~> 5.5"
		105 |   name                  = "${each.key}-superadmin"
		106 |   force_destroy         = true
		107 |   pgp_key               = each.value
		108 |   create_iam_access_key = false
		109 | 
		110 |   # The following is dependent on whether a PGP key has been set
		111 |   create_iam_user_login_profile = length(each.value) > 0 ? true : false
		112 |   password_reset_required       = length(each.value) < 0 ? true : false
		113 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_user["mark.roberts"]
	File: /main.tf:101-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		101 | module "iam_user" {
		102 |   for_each              = local.superadmin_users
		103 |   source                = "terraform-aws-modules/iam/aws//modules/iam-user"
		104 |   version               = "~> 5.5"
		105 |   name                  = "${each.key}-superadmin"
		106 |   force_destroy         = true
		107 |   pgp_key               = each.value
		108 |   create_iam_access_key = false
		109 | 
		110 |   # The following is dependent on whether a PGP key has been set
		111 |   create_iam_user_login_profile = length(each.value) > 0 ? true : false
		112 |   password_reset_required       = length(each.value) < 0 ? true : false
		113 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_user["mike.reid"]
	File: /main.tf:101-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		101 | module "iam_user" {
		102 |   for_each              = local.superadmin_users
		103 |   source                = "terraform-aws-modules/iam/aws//modules/iam-user"
		104 |   version               = "~> 5.5"
		105 |   name                  = "${each.key}-superadmin"
		106 |   force_destroy         = true
		107 |   pgp_key               = each.value
		108 |   create_iam_access_key = false
		109 | 
		110 |   # The following is dependent on whether a PGP key has been set
		111 |   create_iam_user_login_profile = length(each.value) > 0 ? true : false
		112 |   password_reset_required       = length(each.value) < 0 ? true : false
		113 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_user["richard.green"]
	File: /main.tf:101-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		101 | module "iam_user" {
		102 |   for_each              = local.superadmin_users
		103 |   source                = "terraform-aws-modules/iam/aws//modules/iam-user"
		104 |   version               = "~> 5.5"
		105 |   name                  = "${each.key}-superadmin"
		106 |   force_destroy         = true
		107 |   pgp_key               = each.value
		108 |   create_iam_access_key = false
		109 | 
		110 |   # The following is dependent on whether a PGP key has been set
		111 |   create_iam_user_login_profile = length(each.value) > 0 ? true : false
		112 |   password_reset_required       = length(each.value) < 0 ? true : false
		113 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_user["stephen.linden"]
	File: /main.tf:101-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		101 | module "iam_user" {
		102 |   for_each              = local.superadmin_users
		103 |   source                = "terraform-aws-modules/iam/aws//modules/iam-user"
		104 |   version               = "~> 5.5"
		105 |   name                  = "${each.key}-superadmin"
		106 |   force_destroy         = true
		107 |   pgp_key               = each.value
		108 |   create_iam_access_key = false
		109 | 
		110 |   # The following is dependent on whether a PGP key has been set
		111 |   create_iam_user_login_profile = length(each.value) > 0 ? true : false
		112 |   password_reset_required       = length(each.value) < 0 ? true : false
		113 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_user["sukeshreddy.gade"]
	File: /main.tf:101-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		101 | module "iam_user" {
		102 |   for_each              = local.superadmin_users
		103 |   source                = "terraform-aws-modules/iam/aws//modules/iam-user"
		104 |   version               = "~> 5.5"
		105 |   name                  = "${each.key}-superadmin"
		106 |   force_destroy         = true
		107 |   pgp_key               = each.value
		108 |   create_iam_access_key = false
		109 | 
		110 |   # The following is dependent on whether a PGP key has been set
		111 |   create_iam_user_login_profile = length(each.value) > 0 ? true : false
		112 |   password_reset_required       = length(each.value) < 0 ? true : false
		113 | }

github_actions scan results:

Passed checks: 132, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

@mikereiddigital mikereiddigital merged commit ee1916c into main Dec 27, 2023
2 of 3 checks passed
@mikereiddigital mikereiddigital deleted the mp-5380-pt3 branch December 27, 2023 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sukeshreddyg sukeshreddyg sukeshreddyg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mikereiddigital @sukeshreddyg